Keeping your WordPress site secure

We all know that hackers are out there, and they will try to get into anything that they can – just in case there is an opportunity for them.

The 1 billion plus websites that are out there are no exception. Lots of them are powered by four key platforms – WordPress, Joomla, Magento and Drupal. WordPress is arguably the leading platform, and for good reason: it is relatively easy to set up and add content to. You can even go to www.wordpress.com and start a site without even registering a domain name! It is no wonder that WordPress has been adopted by so many.

The flipside of this is that there are now many unskilled webmasters out there. Often, they don’t understand what is required from a security point of view in terms of keeping their sites secure.

Some worrying statistics:

I found that for over 11,000 compromised websites that were anaylsed, 75% of them were powered by WordPress. To add to that, more than 50% of the sites were out of date.

As of March 2016, Google stated that it had displayed over 50 million warnings in search results, stating that search results were compromised. They currently block around 20,000 websites for malware, and 50,000 for phishing.

How to get your site secure:

Today I have worked on two websites for a customer to get them secure. We don’t normally do websites, but these sites are owned by a good customer of ours, and we took over hosting them from the previous supplier, as the customer deemed us to be a more reliable option. We had moved the websites over to us recently, thinking that the sites were relatively up to date, but we soon received a notification from our webhosts to say one site was behaving strangely.

Having looked at the back end of the sites in more detail, we found that both sites were running WordPress installations that were VERY out of date – as in – a couple of years! After taking the mandatory backups, I upgraded both sites to the latest versions of WordPress – straightforward these days as WordPress can update itself at the click of a button! Next were the plugins – fortunately most of them were still maintained, so it was easy to update them. There was one however (a lightbox plugin), that was forked from another plugin. Neither had been updated for a few years. So, I found another plugin, and replaced the out of date one.

After this, I applied one of my favourite plugins – Wordfence (http://www.wordfence.com). Wordfence put simply, is a firewall for your WordPress site. It will block several types of hack attempt, and will inform you should one happen. You can then follow your own course of action, such as choosing to take your site offline, or taking an immediate backup. Another couple of cool features from WordPress are that it can scan plugins to see if they have been modified (read “hacked”), and can scan the whole WordPress install for modified files. Definitely worth installing!

Another plugin worth mentioning is Duplicator (http://lifeinthegrid.com/labs/duplicator). This provides you with a brilliant way to take a backup of your entire site, and download it to your machine. There are other plugins available to do similar, and some can even upload backups regularly to your Dropbox account, but for my purposes, Duplicator fitted the bill. I used it to take backups before and after I upgraded the site – giving me lots of options should I have a problem.

My last suggestion is to consider using two-factor authentication with your WordPress installation. There are options to use Google Authenticator, which works really well.

In summary:

So, in summary, keeping your WordPress site secure isn’t really any different to keeping any other IT asset secure: make sure your passwords are strong (and regularly changed), monitor your site for unusual behaviour, use well-reviewed security tools to help you increase security, and finally keep your site up to date! Lastly if all else should fail – you can always restore the site from your regular backups. You DO keep regular backups, don’t you? 🙂